SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit VIII

Upon completion of this unit, students should be able to:

3. Prepare vulnerability assessments related to information systems (IS) security.
3.1 Prepare a vulnerability assessment for a health care facility.
3.2 Determine potential impacts resulting from unauthorized access to a health care system.
3.3 Identify the regulations associated with the health care market.

Required Unit Resources

Chapter 7: Host Hardening

Chapter 10: Incident and Disaster Response

In order to access the following resources, click the links below. You can access transcripts for the videos by
clicking on the three dots below the video on the right, then clicking “Open transcript.”

Professor Messer. (2021, January 26). Vulnerability scans – SY0-601 CompTIA Security+ : 1.7 [Video].

YouTube. https://www.youtube.com/watch?v=j9BdMP8Buq8

Professor Messer. (2021, April 29). Incident response planning – SY0-601 CompTIA Security+ : 4.2 [Video].

YouTube. https://www.youtube.com/watch?v=G6W_JkImDdg

Professor Messer. (2021, April 29). Incident response process – SY0-601 CompTIA Security+ : 4.2 [Video].

YouTube. https://www.youtube.com/watch?v=fU_w8Ou9RVg

Unit Lesson

Introduction

In this unit, we will conclude our discussion of security hardening; then, we will look at more advanced topics.
We have learned quite a bit this term about exploits, vulnerabilities, access controls, auditing, and logs. Now
that we are here, what is the next logical step in the security management process?

Host Hardening

First, let’s return to already well-trodden ground: hardening our systems. As the textbook notes, hackers have
become so sophisticated nowadays that a server installed using the installation media it came with—and set
to its pre-assigned defaults—can be under a hacker’s control within seconds. That is an alarming prospect for
an information technology (IT) professional.

Additionally, this unit shows us that it is not just servers that are at risk. Any device can be considered a host
if it has an IP address. An IP address means a device is capable of being on the network and therefore may
be affected by malware. In addition to servers, our vulnerable hosts, therefore, include workstations, clients,
routers, and firewalls. They all need to be protected.

We have discussed host hardening, which involves protecting the hosts by making them more difficult to
access and therefore less attractive, in other units. How you protect each host will be different, depending on

UNIT VIII STUDY GUIDE
Vulnerability Assessment
and Incident Response

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE
Title

the specifics of the host. Despite the variability aspect of host hardening, basic rules apply to almost any
device or software.

Security Baselines

We can also use security baselines to harden the network. Baselines provide us with a mapping or
measurement to compare against future data and findings. They can be used to create a checklist of steps
and are the norm when dealing with performance issues. Using baselines to create a checklist of actions to
take and to have a point of comparison could help with diagnoses.

Disk images are sometimes used to replicate an exact installation process and the setting designation so that
all installations are safe and consistent. The textbook also addresses the concept of virtualization, which is a
way of allowing a device to run multiple operating systems simultaneously and share local resources.

Vulnerabilities and Patches

Vulnerabilities can show us the weaknesses in applications or software, but the term can actually be used to
describe any security weakness in systems or hosts on the network. Hackers are constantly trying to identify
weaknesses to exploit, and we need to continually identify the updates or patches to address any weakness
issues. Although they can be fast and avoid the worst types of damage, patches can also be problematic
when vendors release too many, or where they have unintended consequences like reduced functionality or
system freezing.

Other potential fixes include things such as workarounds and version upgrades. Service packs are large
updates that are deployed all at once; these can be used as patches for database servers.

Managing Users, Groups, and Permissions

Organizations can also create user groups to help manage permissions. Every user should be assigned an
account, and multiple user accounts can be grouped. Applying a security standard to a group is much easier
and more efficient than applying it to individual accounts. Mistakes are also less likely because the rules apply
to the entire group rather than allowing each individual to follow unique security measures. Administrators are
“super users” who can completely control the system. Therefore, the fewest number of people possible should
be added to the administrator group.

Limiting the administrator group is one example of the principle that users should generally only be given the
access they need, which is accomplished by assigning appropriate permissions. Permissions dictate what
that user, or user group, is allowed to do to files or directories. There are database permissions as well as
Windows permissions.

The Importance of Strong Passwords

As mentioned previously, organizations should also have a firm password policy. There are some
basic rules for creating passwords discussed in our textbook relating to the overall character length, use
of case changes, use of digits, and use of alphanumeric characters. But policies can be broken. Therefore,
passwords should be hashed when created (converted to a string of other characters) and shadowed
when stored.

Testing Vulnerabilities

There are times when we need to review known vulnerabilities. One way of doing this is to create test cases
to determine if previous fixes closed the openings to the exposure. Luckily, there are software packages that
help with this—vulnerability testing software. The IT department can either deploy the software in a production
environment, or it can be deployed in a test environment if it has the same configuration and updates
production data.

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE
Title

Intrusion Response Process

Despite routine and extensive vulnerability testing, IT professionals may find that one day an attack is
successful despite their best efforts. In such a case, there must be an intrusion process in place to ensure
that the attacked company initiates the proper response to an incident.

According to Boyle and Panko (2021), an intrusion detection system, or IDS, is “software and hardware that
capture suspicious network and host activity data in event logs” (p. 493). This becomes a manual process
because you need a dedicated resource to review the logs and determine if the alerts are significant. This
person must also know how to report the incident, and they must do so quickly and accurately.

Is the intruder still poking around so that containment is still possible, or are they long gone with valuable,
sensitive data? The remedy depends on many factors. A proper intrusion response will focus on recovery,
such as repairing server operation, restoring any lost data, and reinstalling the software.

The textbook offers an extensive discussion around the concept of punishment after a successful intrusion,
including criminal and civil prosecution options. Where legal redress is sought, jurisdictional considerations
come into play, such as the proper court in which to pursue the wrongdoer and considerations of applicable
law. For instance, are there any relevant state laws addressing the offense? Do any federal laws apply? If
the incident originated from another country, do international laws apply, and if so, in which court should
legal action be pursued? Which agencies are responsible for arrests, punishments, or seizure of assets to
satisfy a judgment?

Business Continuity

We also have to consider business continuity activities. We have to perform these activities to prepare for
future disruptions in operations. For example, what would happen if operations were offline for a power
company, a water supplier, an oil refinery, or a nuclear plant? In such instances, there are literally lives on the
line. Have no doubt, as an IT specialist, your expertise may be the difference between life and death for the
many people who are affected by your industry or by a national emergency resulting from an attack.

There have been many instances of such attacks in the news, including the Colonial Pipeline hack in early
2021. Experts agree that killware, or malware that is intended to result in death, could be the next threat on
the IT front.

A component of business continuity is disaster recovery (DR). This is the process of recovering data, which
can be a stressful time and situation. Victims would lose not only system access but also data. At this time,
they would need to execute DR steps to repopulate the data. Next, they would need to communicate the
incident and notify their departments. Most of the time, key executives will want to know what happened and
how to ensure that it does not happen again.

Conclusion

This course started with concepts at a granular level and built upon in the units to address protection of the
organization, systems, network, physical access, and data. As we found, it is best practice to continually
review all security sections and components in order to have a stable and protected environment.

Reference

Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354